3.11 Day-to-Day Management
Once PacketiX VPN Server 2.0 is fully installed and set up, it
basically operates continuously without the need for administrative
handling such as frequent administration and status checks. However, in
order to continue to provide improved service to VPN users, performing
the following day-to-day management may prove beneficial. The following
is an explanation of daily management methods and knowledge in the form
of tips from an Administrator's perspective.
3.11.1 Auditing the Server Log
By checking the server log written by the VPN Server on a daily
basis, the VPN Server Administrator can audit the server's operational
status. The server log is not in an obscure data format like that
typically written by a computer, but is instead in an easy-to-read
Japanese format and is therefore not to difficult to look over each day.
Moreover, it may be better to examine not only the VPN Server log but
also the log of OS running the VPN Server as well as the logs of all
network devices connected to the computer (routers etc.) on a regular
basis.
Frequent checking of these logs allows for the early detection of the
following types of problems.
- When user authentication failures, which do not usually occur
much, are happening frequently, this may indicate the presence of a
party attempting to gain unauthorized access to the VPN Server. In
this case, it is possible to adjust the settings so as to deny VPN
connection to the IP address of the suspected hacker using the IP
Access Control List function.
- When VPN connections are being made from unknown VPN clients
occurs, it may reveal that the user's password has been cracked and
unauthorized access to the VPN Server has been gained.
- When communication events are occurring repeatedly in the
Virtual HUB's security log, it is possible that some kind of anomaly
has occurred within the VPN network.
- By mechanically processing the log file (for instance, clipping
necessary lines using a tool such as [grep] and pursing with a tool
such as [Perl]), it is possible to compile a database of the time
and frequency of each user's connections.
-
The contents of packet logs can be processed mechanically. Storing
packet logs in a database and indexing their headers facilitates
rapid packet log searches when tracing is required at a subsequent
date.
-
Consider using the Syslog Transmission function explained in
「3.3.17 Syslog Transmission Function」 if necessary. Note, however, that when using the Syslog
Transmission function, the contents of logs may be deleted if packet
loss occurs when attempting to send a large log volume.
3.11.2 Checking Usage Status
The VPN Server and Virtual HUBs automatically record and administer
statistical information relating to various objects (see 「3.3.10 Administration of Statistical Information」 for
details). By checking this statistical information, the VPN Server &
Virtual HUB Administrators can obtain information relating to the VPN
service's usage status, such as which users and Virtual HUBs have a
large communication volume.
3.11.3 Backing Up Configuration Information
It is recommended that the VPN Server Administrator make regular
backups of the [vpn_server.config] file, as this file contains all of
the information required to operate the VPN Server. Automatically
backing up the vpn_sever.config file to a separate computer is also
prudent in preparing for a potential hardware malfunction on the
computer operating the VPN Server.
It is also recommended to backup all log files (server log, security
log and packet log) onto a secure device such as external media wherever
possible. When disk capacity appears likely to be insufficient, please
note that old log files are automatically deleted by the VPN Server to
give priority to writing new ones (refer to 「3.3.11 Automatic Adjustment when Disk Space is Insufficient」 for details).
3.11.4 Recovering from Failure
When a failure such as a physical malfunction occurs on the computer
operating the VPN Server, it is possible to continue operation using the
configuration information prior to the failure by immediately preparing
a separate computer with the VPN Server installed and having it read the
latest vpn_server.config backup file.
3.11.5 Rolling Back the Configuration
Even when Administrators do not explicitly perform backups, the
Configuration file history is saved once every hour whenever the file's
contents have been changed (please refer to 「3.3.9 Configuration History」 for details). If the
Configuration file is inadvertently corrupted or deleted due to a disk
malfunction or power outage, or when important settings are erroneously
deleted and resetting would be difficult, it is possible to roll back to
the contents of a previous Configuration file contents at an arbitrary
point using the automatic backup system.
Please refer to the section in 「3.3.7 Configuration File」 entitled "Replacing the
Configuration File" for details on how to restore the Configuration
file.
3.11.6 Confirming Hard Disk Availability
Please pay heed to the computer's available hard disk capacity, not
only for the VPN Server but when operating any server services. In
particular, on the VPN Server which saves many log files, log files are
automatically deleted in sequence starting with the oldest when hard
disk space becomes low. In order to prevent this from happening, make
regular backups of old log files before deleting them.
If another server other than the VPN Server is operating on the same
computer, please note that the VPN Server is even prone to be affected
by data file capacity of logs and so on written by different software.
3.11.7 Network Administration Support Tools
In some cases, the simple administration of the computer running the
VPN Server can be facilitated by the use of either commercial or free
network administration support software.
For example, using a utility which supports SNMP (Simple Network
Management Protocol) depicts a simple graph showing the CPU usage of the
VPN Server computer and the network traffic.
In addition, the use of integrated management software integrates
server computers running the VPN Server and other services and enables
regular backups & server rebooting and the application of system
patches.
3.11.8 Checking Sufficiency of Required Resources
The operating performance of the VPN Server depends upon the server
computer's CPU speed, memory speed & availability, remaining hard disk
capacity & fragmentation ratio and network bandwidth.
- It is recommended that the CPU of the VPN Server computer be as
fast as possibly allowed by both budget and usability constraints.
CPU speed has a significant impact upon the speed of VPN
communication encryption & decryption and RSA operation,
encapsulation and decapsulation. Select a CPU with a large cache
size, which offers Hyper-Threading & multi-core technology and is
adept at parallel processing.
- While the VPN Server instantly processes large volumes of data,
much of the data at that time is stored temporarily in the memory.
That is why the VPN Server's performance is affected considerably by
the memory speed. Moreover, depending on the OS, a swap occurs when
the available physical memory becomes scarce, but the code to access
the memory is stopped during swap processing and this can have a
potentially large damaging effect on the operation of the VPN
Server. As such, it is recommended that sufficient memory be
installed on the server computer in advance, especially when
simultaneously processing a large volume of connections or writing
packet logs for many types of packets on the VPN Server.
- The VPN Server writes many logs to the hard disk. If the
available hard disk space becomes deficient or fragmentation becomes
sporadic, rewriting these logs also becomes time-consuming, which is
not at all preferable.
- PacketiX VPN is communication software so it is recommended that
the VPN Server be connected to a broadband, low-latency network.
When simultaneously processing a large volume of connections, it may
not be possible for a single VPN Server computer to provide satisfactory
hardware resources. The VPN Server's clustering function should be
considered in such situations.
3.11.9 Measuring Effective Throughput
When administering the VPN Server, it is recommended that a VPN
connection be made from the perspective of the user on a regular basis
in order to measure the effective throughput. The easiest way to measure
effective throughput is to prepare two client computers and connect to
the same segment via the line normally used by the users, then measure
the communication throughput using a communication throughput measuring
tool. For details, please refer to 「4.8 Measuring Effective Throughput」.
If the result is considerably lower than expected, the cause is likely
with the network or the hardware resources of the server computer so
these areas should be scrutinized.
|